[SE/Linux] status / progress report 13jun2004
From: Luke Kenneth Casson Leighton (lkcl_at_lkcl.net)
Date: Sun, 13 Jun 2004 15:36:48 +0000 To: firstname.lastname@example.org, SE-Linux <email@example.com>, firstname.lastname@example.org
This is a status / progress report for Debian / SE/Linux integration.
I look forward to the day when it need no longer be maintained,
which will be when all of the outstanding issues have been addressed.
The constant work-in-progress version of this report will always be
The major outstanding issues are:
* debian kernels need to be available compiled with se/linux security
enabled (and boot-time optional) by default. this results in a
2% performance hit (wow big deal) when se/linux is not enabled
at boot time. Gentoo, SuSE and Fedora all accept this 2%.
* sarge freeze is holding back libselinux1 from being made "Required"
which is holding pretty much evveerrything up, but there is a
temporary idea (do a package se-<pkgname>) as a workaround.
* a decision needs to be made on dpkg either to accept the postinst.d
idea or come up with a workable alternative. decision appears to
be held up because people "don't like the idea of selinux" rather
than for any genuine technical reason.
"alternative" patched dpkg package that provide the postinst.d
functionality will be made available "ad infinitum" until a
decision is made.
... how about an se-dpkg? maybe the se_apt-get, se_dpkg,
se_dpkg-reconfigure scripts could be moved into it, at the
* the idea of using a pam_selinux.so for everything has been disrupted
slightly for certain packages such as kdm, openssh, because the
ordering of opening ttys and calling the pam session stuff tends
to be moved about by upstream developers - without consideration
as to the impact it will have. pre-pam_selinux patches (esp. for
openssh) have been "dusted off".
* pam seems to have "lost the plot" a bit and serious consideration
is being given to doing a fork for BOTH redhat AND debian.
[the debian pam maintainer has a staggering FIFTY upstream
patches in debian/patches/ for 0.77. he's prepared to accept
ANOTHER patch to add to the list, for selinux, but only
against latest cvs - 0.78 or above. redhat also have to
maintain their own patches - against 0.76 - which includes
bug fixes that aren't in the "alternative" debian packages
yet, and it's all just going pear-shaped]
* "alternative" unstable packages (which had had to be patched,
see individual status reports below) for:
* "standard", or "default" packages for unstable (sid)
selinux-policy-default, selinux-utils, libselinux1,
checkpolicy, policycoreutils and selinux-doc
are available from the debian mirrors - current versioning
is 1.12-2 to 1.12-3 of these packages.
NSA/SELinux kernel 2.6:
status: most of the selinux enhancements are available
upstream in 2.6, however the very latest patches
are only available from the above sites.
status: presently, base packages are frozen and no modifications
or additional packages are allowed (to base). this
affects libselinux1 status from being changed, and therefore
pretty much everything else from thereon down.
temporary measure idea for maintainers is to produce
"se-pkgname" which will later on be an empty package
depending on "pkgname".
debian kernel 2.6 images:
status: raised only 12 days ago. requested that se/linux
security config options be enabled in stock
Debian kernels but require selinux=1 and enforcing=1
to switch it on.
status: 1 year old, requested information, information now
provided, upstream and maintainer prodded for
acknowledgement. [30may2004] mike stone responded
by saying that it's unlikely that action will be taken
until after sarge is released.
status: russell alerted maintainer that upstream inclusion
is done (157 days ago) but debian package 3.7-1
disables it by default due to libselinux1 not being
"base/required" or "important". change made to
libselinux1 to reflect that.
[30may2004] paul martin confirmed that he is waiting
for this change, and the "ftpmasters" need to make
13jun2004: pinged paul suggesting the se-<pkgname>
i think this one's my favourite.
status: 1 year old. bit of a wing-ding and misunderstanding
over a field name, fortunately the maintainer stood
his ground until the non-cron-code-experts understood
the issues. updated patch sent.
31may2004: steve (maintainer) evaluating patch. also
steve aware of sarge freeze and implications.
8jun2004: bug found in cron which was accidentally
fixed in selinux version. steve (maintainer) now
happy. to check / confirm latest patch with sds (nsa)
8jun2004: steve to create a cron and se-cron package
where se-cron will be a dummy package when sarge
is released (and libselinux1 goes to "Required").
10jun2004: dan walters created new patch, with some
additional cleanups etc. sent to steve (maintainer)
status: amazingly, only 19 days old. unless there's an
earlier one and it's already been integrated
upstream. changes are only to pam_unix, apparently,
on that one (and there's another patch for pam_selinux).
information sought from upstream and from the
30may2004: several messages to upstream explaining
that pam_selinux.so is needed upstream before
other packages can start putting
"session required pam_selinux.so" into upstream
30may2004: subscribed direct to list to avoid
moderation and wrote message explaining situation
(pam upstream acceptance or lack of equals major
1jun2004: issue with packages opening and closing
sessions, plus upstream packages moving the place
where pam is called from (e.g. openssh) causing
tty problems. serious consideration being given
to reinvoking / dusting-off the selinux patches that
pam_selinux was supposed to do away with, on the
basis that upstream authors are less likely to
interfere with the ordering of "#ifdef WITH_SELINUX"
than they are with moving calls to pam_open_session.
8jun2004: situation with pam is bad: no communication
whatsoever received from upstream. bugs in 0.76 fixed
for fedora, too much work to back-port. serious
consideration being given to forking pam. debian
maintainer happy to accept patch against latest sf.net
cvs (0.78 or above)
status: mr russell coker's postinst.d patch is apparently
well-known and the bugreport has been merged with
other bugs, one of which (#17243) dates back to
1998! kuudosss. however, the maintainer says that
those bugs are part of a larger picture of
required / requested functionality and they don't
want to proceed with what would turn out to be a
30may2004: after evaluating options (see links
above) initiated thread to convince dpkg
developers to incorporate postinst.d patch.
13jun2004: no response yet received, another ping
status: raised 50 days ago. seeking information from
13jun2004 contact. advised maintainer of
se-cron idea pending sarge unfreeze, suggested
doing an se-init (se-sysvinit), temporarily.
status: 30may2004 - russell's explained that this patch is no
longer needed because the patches to PAM deal with
8jun2004 - serious consideration being given to
requesting the (retired) openssh WITH_SELINUX
patch be added due to calls to pam_open_session
having been moved to before ttys are set up
(in sshd). it's all gone pear-shaped.
10jun2004: investigation by dan and russell leads
to a decision to reintroduce the former openssh patch,
the one that didn't need pam_selinux, and to drop
pam_selinux in openssh.
star, procps, util-linux, shadow, vixie-cron:
status: although patches are available from
no bug-report or integration into debian/selinux have
been initiated for these packages.
colin walters does have debian packages available
(mirrored at http://selinux.lemuria.org/walters)
status: what used to be a patch in login can be achieved
equally well with pam_selinux.so session.
TODO: must write patch for kdm's /etc/pam.d/kdm to have
pam_selinux.so session required
status: patch created to do context switch but due to the
design of kdm's backend the use of pam_selinux.so
session achieves the same goal, making patching kdm
TODO: must write patch for kdm's /etc/pam.d/kdm to have
pam_selinux.so session required
status: patch created but not yet accepted upstream. code
in wdm needs to be evaluated to see if pam_selinux.so
session will do the same job.
status: patch accepted upstream to do session management.
it was essential in gdm that this be done because
the process doing authentication is separated from
the process doing the program running: pam_selinux.so
session would therefore be insufficient [without a
rewrite of gdm?]
status: not known [to me].
status: still at priority "optional". 30may2004 message sent
to debian-devel requesting assistance in alerting
the "ftpmasters" to the issue. response: russell
should have received a notification because ftp.debian.org
automatically "overrides" the priority.
status: the postfix policy requires that you disable chrooting
in order for postfix to work. 253732 is a wish-list
requesting an extra dpkg config question advising people
to select "no i do not want to chroot" if they are
installing on an se/linux system.
-- -- Information I post is with honesty, integrity, and the expectation that you will take full responsibility if acting on the information contained, and that, should you find it to be flawed or even mildly useful, you will act with both honesty and integrity in return - and tell me. -- <a href="http://lkcl.net"> lkcl.net </a> <br /> <a href="mailto:email@example.com"> firstname.lastname@example.org </a> <br /> -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact email@example.com